CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Noisy Bear Phishing Campaign Against KazMunaiGas Identified as Planned Test

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A phishing campaign targeting KazMunaiGas employees was initially attributed to the Noisy Bear threat actor. The campaign, codenamed Operation BarrelFire, involved phishing emails with malicious attachments. KazMunaiGas later clarified that the activity was part of a planned phishing test conducted in May 2025. The campaign used a ZIP file containing a Windows shortcut (LNK) downloader, a decoy document, and instructions in Russian and Kazakh. The LNK file dropped additional payloads, including a PowerShell loader and a DLL-based implant. The infrastructure was hosted on a Russia-based bulletproof hosting service. The campaign was initially reported in September 2025, with KazMunaiGas confirming it was a test in response to the report. The Noisy Bear threat actor has been active since at least April 2025, with the campaign involving sophisticated techniques such as anti-analysis measures and CreateRemoteThread Injection. The activity has geopolitical implications, potentially aiming to sustain information advantage in Central Asia.

Timeline

  1. 06.09.2025 18:13 πŸ“° 2 articles Β· ⏱ 11d ago

    KazMunaiGas Phishing Campaign Identified as Planned Test

    A phishing campaign targeting KazMunaiGas employees, initially attributed to the Noisy Bear threat actor, was confirmed to be a planned phishing test conducted by KazMunaiGas in May 2025. The campaign involved phishing emails with malicious attachments, including a ZIP file with a Windows shortcut (LNK) downloader, a decoy document, and instructions in Russian and Kazakh. The LNK file dropped additional payloads, leading to the deployment of a DLL-based implant. The phishing emails impersonated mundane company business, such as reviewing work schedules and wages. The LNK file executed a batch script that retrieved the PowerShell loader named DownShell, which included anti-analysis measures to bypass the Windows Antimalware Scan Interface (AMSI) and used CreateRemoteThread Injection to establish a reverse shell. KazMunaiGas clarified that the activity was part of a phishing training test, dismissing the initial report of a cyber espionage operation. The Noisy Bear threat actor has been active since at least April 2025, with the campaign involving sophisticated techniques and geopolitical implications.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

RaccoonO365 Phishing-as-a-Service Infrastructure Disrupted

Microsoft and Cloudflare disrupted the RaccoonO365 phishing-as-a-service (PhaaS) network, seizing 338 domains used by the threat group Storm-2246. The operation targeted over 5,000 Microsoft 365 credentials from 94 countries since July 2024. The group, led by Joshua Ogundipe, used Cloudflare services to protect phishing pages, making detection more challenging. The disruption began on September 2, 2025, and involved banning domains, placing warning pages, and terminating associated scripts. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals.

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

Supply Chain Attack on npm Packages with Billions of Weekly Downloads

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.

Open in new tab

Phishing campaign using SVG files to deploy Base64-encoded pages

A new malware campaign has been identified using Scalable Vector Graphics (SVG) files to deploy phishing pages. The SVG files, distributed via email, impersonate the Colombian judicial system and execute a JavaScript payload to inject a Base64-encoded HTML phishing page. This page mimics an official government document download process while downloading a ZIP archive in the background. The campaign has been active since at least August 14, 2025, and includes 523 unique SVG files that have evaded antivirus detection. The campaign is part of a broader trend where attackers are targeting macOS users with information stealers like Atomic macOS Stealer (AMOS). This stealer can exfiltrate a wide range of sensitive data, including credentials, browser data, and cryptocurrency wallets. The attackers use cracked software and ClickFix-style tactics to lure users into infecting their systems, bypassing macOS's Gatekeeper protections.

Open in new tab

GhostRedirector Campaign Targets Windows Servers with Rungan and Gamshen

A threat cluster named GhostRedirector has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam. The attacks deployed a passive C++ backdoor called Rungan and an IIS module named Gamshen. The threat actor has been active since at least August 2024. The primary goal of the attacks is to manipulate search engine results to boost the ranking of specific websites, including gambling sites. The campaign targets various sectors, including education, healthcare, insurance, transportation, technology, and retail. Initial access is gained through an SQL injection vulnerability, followed by the use of PowerShell to deliver additional tools. The threat actor is assessed with medium confidence to be China-aligned.

Open in new tab